Initialize the AuditEvent with the AuditContext #113611
Conversation
k8s-ci-robot
added
kind/cleanup
k8s-ci-robot
added
sig/api-machinery
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
| } | ||
|
|
||
| // AuditIDFrom returns the value of the audit ID from the request context. | ||
| func AuditIDFrom(ctx context.Context) (types.UID, bool) { | ||
| if ac := AuditContextFrom(ctx); ac != nil { | ||
| return ac.auditID, ac.auditID != "" | ||
| return ac.Event.AuditID, true |
There was a problem hiding this comment.
Nit: Is it always initialized with an ID, so that we don't need to check for empty string as it initialized by WithAuditInit. Isn't it making it easier to make a mistake if the audit pkg is used outside of k8s.io/apiserver? I could imagine that it takes some debugging to figure out that it can be true on an empty string.
There was a problem hiding this comment.
Yes, the audit ID is always initialized at the same time as the audit context: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/filters/audit_init.go#L41-L50
But you bring up a good point. Looking at everywhere this is used, I think the bool return value is really meant to indicate whether auditing is enabled. This method isn't used in very many places, so I think we should probably just inline it with an explicit auditContext.Enabled() check instead.
There was a problem hiding this comment.
Actually, since the eventual goal is to make the AuditContext.Event non-exported, I think it makes sense to keep this function as-is for now.
There was a problem hiding this comment.
According to the updated description, ac.Enabled() should be returned instead, in case the policy level is "None".
I am not sure whether that would still align with the original purpose of the bool.
| RequestURI: req.URL.RequestURI(), | ||
| UserAgent: maybeTruncateUserAgent(req), | ||
| Level: level, | ||
| func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedTimestamp time.Time, level auditinternal.Level, attribs authorizer.Attributes) { |
There was a problem hiding this comment.
We use the audit package for or openshift/oauth-server and the removal of NewEventFromRequest would break our tests. So I rewrote them against your PR and the usage of the audit package is now really nice. All the changes around the removal of *[]annotations are amazing! 🎉
|
lgtm |
| key, value string | ||
| // Enabled checks whether auditing is enabled for this audit context. | ||
| func (ac *AuditContext) Enabled() bool { | ||
| return ac != nil && ac.Event.Level != auditinternal.LevelNone |
There was a problem hiding this comment.
I think the initial default should return false, right?
func TestEnabled(t *testing.T) {
ac := &AuditContext{}
if ac.Enabled() {
t.Errorf("expected the default to return false")
}
}
maybe add len(ac.Event.Level) > 0
There was a problem hiding this comment.
No, this is intentional. If annotations (or any other request metadata) are recorded before the policy is evaluated, we want to store them. Once the policy is evaluated to None we can stop doing the work in that case. I'll add a comment & test to this affect.
| @@ -167,8 +131,8 @@ func WithAuditContext(parent context.Context) context.Context { | |||
|
|
|||
There was a problem hiding this comment.
I think it's safer for the the initial context to return a LevelNone for the Level field
func WithAuditContext(parent context.Context) context.Context {
if AuditContextFrom(parent) != nil {
return parent // Avoid double registering.
}
ac := &AuditContext{
Event: {
Level: LevelNone
}
}
return genericapirequest.WithValue(parent, auditKey, ac)
}
kubernetes/staging/src/k8s.io/apiserver/pkg/audit/context.go
Lines 159 to 166 in 17bf864
There was a problem hiding this comment.
See above comment about capturing data before the policy is evaluated.
There was a problem hiding this comment.
yes, with the above approach, we are good here.
| @@ -283,11 +283,6 @@ func TestAuthenticationAuditAnnotationsDefaultChain(t *testing.T) { | |||
| // confirm that we can set an audit annotation in a handler before WithAudit | |||
| audit.AddAuditAnnotation(req.Context(), "pandas", "are awesome") | |||
|
|
|||
| // confirm that trying to use the audit event directly would never work | |||
There was a problem hiding this comment.
maybe we should confirm here that the level is set to LevelNone, assert that ac.Enabled() == false, in keeping with the current test assertion?
| @@ -188,19 +152,16 @@ func WithAuditID(ctx context.Context, auditID types.UID) { | |||
| return | |||
| } | |||
| ac := AuditContextFrom(ctx) | |||
| if ac == nil { | |||
| if !ac.Enabled() { | |||
There was a problem hiding this comment.
I think storing the auditID in the request context is orthogonal to audit logging. A cluster operator can disable audit logging, but we would still want to store the auditID in the request context. The auditID is also propagated to the aggregated APIServer(s).
We have some logs that emit the auditID, for example:
I think we would want to keep the log correlation ^, even though audit logging is disabled, thoughts?
There was a problem hiding this comment.
Yeah, that makes sense. You might also be interested in this issue, which has come up a couple of times in sig-apimachinery: #101597
| @@ -81,8 +75,7 @@ func AddAuditAnnotation(ctx context.Context, key, value string) { | |||
| // keysAndValues are the key-value pairs to add, and must have an even number of items. | |||
| func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) { | |||
| ac := AuditContextFrom(ctx) | |||
| if ac == nil { | |||
| // auditing is not enabled | |||
| if !ac.Enabled() { | |||
|
/lgtm Thanks! |
k8s-ci-robot
added
the
lgtm
|
/assign @lavalamp |
|
/assign @liggitt |
|
/unassign |
|
/milestone v1.28 Punting this to the next release. Hopefully we can get it merged early in the cycle. |
|
Hey! v1.28 Bug Triage Lead here. I am reaching out to know if this PR is on track for the 1.28 release and if we could set a priority? Thanks in advance! |
|
/approve Please unhold when https://github.com/kubernetes/kubernetes/pull/113611/files#r1173750961 is clarified. |
k8s-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@tallclair hey! Can we please label this with priority? Also, just a reminder that the code freeze is starting 01:00 UTC Wednesday 19th July 2023 / 18:00 PDT Tuesday 18th July 2023 (about 3 weeks from now) and while there is still plenty of time, we want to ensure that each PR has a chance to be merged on time. |
sttts
added
the
priority/important-soon
k8s-ci-robot
removed
the
needs-priority
There was a problem hiding this comment.
/lgtm cancel
https://github.com/kubernetes/kubernetes/pull/113611/files#r1231007227 has not been addressed yet
| @@ -65,8 +62,7 @@ type annotation struct { | |||
| // prefer AddAuditAnnotation over LogAnnotation to avoid dropping annotations. | |||
There was a problem hiding this comment.
This godoc mentions functions that no longer exist, please fix that. Perhaps the changes from #117406 might be applicable here?
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
lgtm
|
LGTM label has been added. Git tree hash: 0c3c22de7f9e5557e679b50aeb4888c2409d9e81
|
|
Thanks for getting this merged. I'm on leave right now, but I'll make sure to pick this back up in the next release cycle. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Always initialize the audit event at the beginning of the request chain, and store audit data directly on the event.
Which issue(s) this PR fixes:
For #109087
Does this PR introduce a user-facing change?
/sig auth api-machinery
/milestone v1.26